In June of this year (2023), researchers discovered that Fortinet’s FortiOS, FortiOS-6K7K, FortiProxy and other systems all have major security vulnerabilities of SSL-VPN [CWE-122].
Malicious people can use this vulnerability to remotely execute arbitrary code or commands on the Internet. The CVSS score is 9.8 points, which is a critical vulnerability.
This vulnerability, similar to CVE-2022-42475 in 2022, also exploits a weakness in SSL VPNs.
Affected system versions are as follows:
FortiOS: 7.2.0-7.2.4, 7.0.0-7.0.11, 6.4.0-6.4.12, 6.2.0-6.2.13, and 6.0.0-6.0.16.
FortiOS-6K7K: 7.0.10, 7.0.5, 6.4.12, 6.4.10, 6.4.8, 6.4.6, 6.4.2, 6.2.9-6.2.13, 6.2.6-6.2.7, 6.2. 4. 6.0.12-6.0.16, and 6.0.10.
FortiProxy: 7.2.0-7.2.3, 7.0.0-7.0.9, 2.0.0-2.0.12, and 1.2 and 1.1.
Suggested solution, if you are not using the SSL-VPN function, please disable it.
Or please update the version as soon as possible:
FortiOS: 7.4.0, 7.2.5, 7.0.12, 6.4.13, 6.2.14, 6.0.17 or later.
FortiOS-6K7K: 7.0.12, 6.4.13, 6.2.15, 6.0.17 or later.
FortiProxy: 7.2.4, 7.0.10, 2.0.13 or later.
#PCI #PCI DSS #Compliance
Reference https://www.fortiguard.com/psirt/FG-IR-23-097